Decoy bits method for direct encryption and key generation

ABSTRACT

A new cryptographic technique is disclosed, called decoy bits method, which can be used to obtain near ideal information theoretic security in both quantum and classical key generation and data encryption, not only for raw security but also under known-plaintext attacks. The technique relates to a method of data encryption by insertion of random bits, called decoy bits, into a data sequence whereby the decoy bits are discarded upon decryption. The positions of the decoy bits are determined by a decoy position determining mechanism. This method can be used in conjunction with other standards of encryption to increase security.

STATEMENT OF GOVERNMENT INTEREST

This invention was made with government support under grant numberFA9550-09-1-0593 awarded by the Air Force Office of Scientific Research.The government has certain rights in the invention.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates generally to data encryption and cryptographicmethods.

2. Description of the Related Art

In current practice of data encryption and key generation which is basedon mathematical properties of classical data, there is no informationtheoretic security (ITS) under known-plaintext attacks (KPA) by anadversary Eve, or even just for raw security before the generated key Kis used in public key systems. Instead, security is based on thecomputational complexity of obtaining the correct answer on amathematical problem related to the cryptographic protocol employed.Such complexity-based security (CBS) may be insecure against futuredevelopment of computational power and algorithms, and improvement onsuch security predicament is sought for a variety of applications.

New development in physical cryptography that utilizes either classicalnoise or quantum effect show some promise of obtaining ITS but is besetwith fundamental security issues and efficiency problems. In particular,there are serious efficiency and security issues in connection with thequantum key distribution (QKD) protocol BB84. The KCQ (keyedcommunication in quantum noise) approach has been experimentallydeveloped to a less extent, and generally security proof is yet to beobtained. A most serious difficulty for such proof in both QKD and KCQis the correlations between bits in the cryptosystem, as it is inclassical and conventional mathematical cryptography.

Therefore, there is a need for cryptographic methods that yieldquantifiable general security for almost any classical or quantumprotocol of data encryption and key generation.

SUMMARY OF THE INVENTION

The present invention overcomes the limitations of the prior art byproviding a cryptographic method that yields quantifiable generalsecurity for classical and quantum data encryption and key generation.

In one embodiment, the method includes the following steps: receiving asequence of data bits, generating a sequence of decoy bits, andembedding the sequence of data bits among the sequence of decoy bitsbased on a decoy position determining mechanism to produce an embeddeddata sequence. In said embodiment, the sequence of data bits is theinput, and the embedded data sequence is the output.

In one implementation, the embedded data sequence is produced by firstgenerating a pseudorandom number sequence based on an encryption key andan encryption mechanism, and then embedding the sequence of data bitsamong the sequence of decoy bits based on the pseudorandom numbersequence.

In one embodiment, the sequence of decoy bits is generated in apseudorandom manner. In another embodiment, the sequence of decoy bitsis generated in a true random manner.

In one embodiment, the received sequence of data bits is an encrypteddata sequence which is encrypted using a separate encryption key and aseparate encryption mechanism. In another embodiment, the embedded datasequence is further encrypted using a distinct encryption key and adistinct encryption mechanism. Each of the encryption keys may be asequence of true random numbers. The running keys may be pseudorandomnumbers generated through the true random number keys. In one approach,the running keys can be obtained by using Advanced Encryption Standard(AES). In another approach, the running keys can be obtained by usingLinear Feedback Shift Register (LFSR) or nonlinear combinations thereof.

The ratio of data bits to total bits in the ciphertext is defined as thedata rate. The ratio of decoy bits to total bits in the ciphertext isdefined as the decoy rate. Generally, the data rate is adjustablebetween 0 and 1, and so is the decoy rate. In one embodiment, the methodincludes using a data rate of 90% or higher. In another embodiment, themethod includes using a data rate of 50% or lower. In yet anotherembodiment, the method includes using a data rate of 0.1% or lower.

In one embodiment, the method may be implemented for data storage. Inanother embodiment, the method may be implemented for medical data. Inyet another embodiment, the method may be implemented for financialdata.

Other aspects of the invention include methods, devices, systems,applications, variations and improvements related to the conceptsdescribed above.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention has other advantages and features which will be morereadily apparent from the following detailed description of theinvention and the appended claims, when taken in conjunction with theaccompanying drawings, in which:

FIG. 1 depicts the decoy bits method in the ciphertext decoy mode usedto transmit data in a communication channel.

FIG. 2 illustrates detailed operation of the decoy bits method in theciphertext decoy mode.

FIG. 3 depicts the decoy bits method in the data decoy mode used totransmit data in a communication channel.

FIG. 4 illustrates detailed operation of the decoy bits method in thedata decoy mode.

FIG. 5A is a detailed example of embedding original data bits among asequence of decoy bits to produce an embedded data sequence.

FIG. 5B is a detailed example of disembedding original data bits fromthe embedded data sequence.

The figures depict embodiments of the present invention for purposes ofillustration only. One skilled in the art will readily recognize fromthe following discussion that alternative embodiments of the structuresand methods illustrated herein may be employed without departing fromthe principles of the invention described herein.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The figures and the following description relate to preferredembodiments by way of illustration only. It should be noted that fromthe following discussion, alternative embodiments of the structures andmethods disclosed herein will be readily recognized as viablealternatives that may be employed without departing from the principlesof what is claimed. To facilitate understanding, identical referencenumerals have been used where possible, to designate identical elementsthat are common to the figures.

This disclosure relates to a novel cryptographic technique, called thedecoy bits method (DBM), which yields quantifiable general security foralmost any classical or quantum protocol of data encryption and keygeneration when it is deployed on top. At the expense of a smallreduction in data rate, it offers tremendous provable security gain.

In one embodiment, the DBM comprises embedding the original data amongdecoy bits whose bit positions are determined through a pseudorandomnumber generator (PRNG) driven by a shared secret key between the users.The bits in the decoy positions are filled from a true random numbergenerator (TRNG). In other embodiments, PRNG can also be used to fillthe bits in the decoy positions albeit with less security. In thequantum case, ITS is obtained for both TRNG and PRNG even under KPA. Inthe classical case, only CBS of different levels can be so obtainedunder KPA but the levels are exponential in a proper key length. ThisDBM achieves ITS directly in the quantum case but also indirectly forthe classical situation. In particular, classical key generation can beso obtained, which is more secure than all known public key techniques.

Classical and Quantum Data Encryption and Key Generation

A classical randomized encrypter on data sequence x with ciphertext ycan be generally represented as follows,

y=E(x, k, r)   (1)

where E is the overall encryption map, k the overall shared secret key,and r a randomizer only the transmitter user A may (or may not) know.Unique decryption means

x=D(y, k)   (2)

for an openly known function D that gives the correct x without knowingr. We call this classical direct encryption (CDE). If the cryptosystemis a quantum one so that density operators take the place of classicalprobability distributions, it is called quantum direct encryption (QDE),a typical example of which is the PSK-Y00 (or Alpha-Eta) cryptosystem.The term raw security for direct encryption refers to the situation whenthe eavesdropper Eve has access only to the ciphertext random variable(sequence) Y and has no information on X (the plaintext random variable)which is the uniformly random variable U to her. In that case it istypical that the ciphertext leaks no information about k to Eve. Theciphertext is always openly known. In KPA, some subsequence of x isknown to Eve so that she could try to gain information or even determinek with the known ciphertext, say in the conventional symmetric keyciphers AES or standard stream ciphers from PRNG, and then decrypt therest of x. We will not need to distinguish the situation where Eve onlyhas statistical knowledge on X and let KPA stand for the case where somespecific subsequence of x is known exactly to Eve.

One can do key generation from direct encryption, in that case privacyamplification can be employed to help improve security. In quantum keygeneration (QKG) a shared secret key K^(g) is to be generated betweenthe users A and B which possesses ITS, that is, probabilisticuncertainty to Eve even when she has unlimited computational power. Thisuncertainty may not be dependent from that of k shared by the users,i.e., K^(g) is a fresh key. Such fresh key generation cannot be soobtained with certainty classically as a consequence of the Shannonlimit, and it turns out it cannot be obtained in QKD or KCQ either, dueto the necessity of a shared secret key for open message authenticationduring protocol execution in the former and the explicit use of a sharedsecret key K in the latter. However, it is possible to generate a freshkey with a practically certain probability, i.e., obtaining a key thathas whatever obtainable ITS level with near or practical certainty.

It is important to note that while no KPA can be launched against K^(g)during the key generation process, KPA can be launched with Eve's probeset when K^(g) is used. Thus, defense against KPA is necessary for QKGas in QDE or CDE. For CBS the security criterion is the number ofcomputational steps needed to get the data or the key. In QKG theoperational criteria have been given in terms of Eve's sequence successprobabilities and her position-averaged bit error rate (BER) inestimating various parts of K^(g). It is these criteria that we will usein evaluating the DBM performance.

Before moving onto DBM proper, we note that an exponential CBS in termsof a controllable security parameter is basically as good as ITS. Thisis because with an ITS security level of n uniform key bits, it justmeans there are 2^(n) possibilities at Eve's hand. If she can try thatone by one, it takes a trial complexity of 2^(n) to guarantee successwhich is no different from the same level of CBS. Indeed, one canformalize the success probability of any m≦n trials including a singleone and get similar guarantee as ITS for exponential CBS from a generaltrial complexity.

The Decoy Bits Method

The key new feature of the DBM is the introduction of decoy bits in twodifferent possible ways: among the bits in a sequence of data bits oramong the bits in an encrypted data sequence. After decryption, thedecoy bits are usually discarded. In one embodiment, a PRNG with properstatistical property, which is offered by LFSR, is used to determinewhich bit positions are the decoy ones.

FIG. 1 depicts the decoy bits method in the ciphertext decoy mode (CDM)100 used to transmit data in a communication channel, according to oneembodiment. The data sequence 105 (represented by x) is first encrypted110 by a seed key K^(e) (with its running key k^(e)) and an encryptionmechanism, although such a step may be omitted for simplerimplementation. The encrypted data sequence 120 (represented by y′) canbe written as:

y′=E(x, k ^(e) , r′)   (3)

where r′ simply represents the possibility of randomized encryption fory′ and is just included for generality. In alternative embodiments, therandomizer r′ may be omitted. In one embodiment, the seed key K^(e) is asequence of true random numbers.

In one embodiment, the encrypted data sequence 120 is generated usingAES. In another embodiment, the encrypted data sequence 120 is generatedusing LFSR or nonlinear combinations thereof. In some cases, theencrypted data sequence 120 is generated using a stream cipher.Alternatively, the encrypted data sequence 120 is generated using ablock cipher.

In one embodiment, the decoy bit sequence 140 (represented by r) is asequence of true random numbers generated independently of other systemcomponents. The decoy bits are inserted into the encrypted data sequence120 to produce a ciphertext sequence 150 (represented by y). Thepositions of the decoy bits are in general determined by a decoyposition determining mechanism. In the embodiment depicted in FIG. 1,the positions of the decoy bits are determined by a pseudorandom numbersequence generated from a pseudorandom number generator 130 with a seedkey K^(d) and its own encryption mechanism. The seed keys K^(d) andK^(e) are independent of each other. In addition, the PRNG 130 employsan encryption mechanism that is also independent of the encryptionmechanism in the encryption step 110. The resulting ciphertext sequence150 has a length n′, which is greater than the length n of the encrypteddata sequence 120 due to the insertion of decoy bits. The data rate iscommonly defined as n/n′, and the decoy rate 1−n/n′.

The ciphertext sequence 150 is transmitted through a communicationchannel 160. The communication channel 160 may include, but is notlimited to, audio, visual, electrical, and electromagnetic communicationchannels. For example, the communication channel may be an opticalfiber, an electrical cable, or free space. In one embodiment, classicalsignals are modulated by the ciphertext sequence 150, transmittedthrough the communication channel 160, and demodulated back into theciphertext sequence 165 at the receiving end of the communicationchannel. In another embodiment, quantum signals are modulated by theciphertext sequence 150, transmitted through the communication channel160, and demodulated back into the ciphertext sequence 165. Themodulation and demodulation modules are not depicted in FIG. 1 for thesake of simplicity.

If there is no error in the transmission process, the receivedciphertext sequence 165 is exactly the same as the transmittedciphertext sequence 150. A pseudorandom number generator 170 is employedto disembed the decoy bits from the ciphertext sequence 165, resultingin an encrypted data sequence 175. In general, the positions of thedecoy bits are determined from the same decoy position determiningmechanism used to embed the decoy bits. In the embodiment depicted inFIG. 1, the PRNG 170 shares the same seed key K^(d) and the sameencryption mechanism as the PRNG 130. The decoy positions are determinedfrom the PRNG 170, and the decoy bits are discarded. The encrypted datasequence 175 is then decrypted 180 by using the shared seed key K^(e)(and the shared encryption mechanism as the encryption step 110) toobtain a data sequence 190. This decryption step 180 may be omitted ifthe encryption step 110 is omitted for simpler implementation.

FIG. 2 illustrates detailed operation of the decoy bits method in theciphertext decoy mode. The encrypted data sequence 120 (y′) and thedecoy bit sequence 140 (r) line up in buffers to be picked in successionby the pseudorandom number sequence 210 (k^(d)) which is generated fromthe pseudorandom number generator 130 with a seed key K^(d). In oneembodiment, the positions of 1 bits in the pseudorandom number sequencek^(d) determine positions of the data bits (from the encrypted datasequence 120) in the ciphertext sequence 150, and the positions of 0bits in the pseudorandom number sequence k^(d) determine positions ofthe decoy bits (from the decoy bit sequence 140) in the ciphertextsequence 150. In this embodiment, the mathematical representation ofDBM-CDM is, with k_(i) ^(d) being the i^(th) output bit of the PRNG 130:

$\begin{matrix}\begin{matrix}{y_{i} = y_{j{(i)}}^{\prime}} & {{{{if}\mspace{14mu} k_{i}^{d}} = 1}} \\{= r_{l{(i)}}} & {{{{if}\mspace{14mu} k_{i}^{d}} = 0}}\end{matrix} & (4)\end{matrix}$

In Eq. (4), the map j(i) is the bit position of the encrypted datasequence 120 which is equal numerically to the number of k_(i) ^(d)=1positions that have occurred up to the i^(th) place in the pseudorandomnumber sequence 210. Similarly, the map l(i) is the bit position of thedecoy bit sequence 140 which is equal numerically to the number of k_(i)^(d)=0 positions that have occurred up to the i^(th) place in thepseudorandom number sequence 210. In this embodiment, what is done issimply to fill in random numbers (from the decoy bit sequence 140) atthe decoy positions determined by the k_(i) ^(d)=0 positions in thek^(d)-sequence and fill in successively the y′-sequence bits in thenon-decoy or message positions (determined by the k_(i) ^(d)=1 positionsin the k^(d)-sequence).

FIG. 3 depicts the decoy bits method in the data decoy mode (DDM) 300used to transmit data in a communication channel, according to oneembodiment. In one embodiment, the decoy bit sequence 320 (representedby r) is a sequence of true random numbers generated independently ofother system components. The decoy bits are inserted into a datasequence 305 to produce an embedded data sequence 330 (represented byx′). The positions of the decoy bits are in general determined by adecoy position determining mechanism. In the embodiment depicted in FIG.3, the positions of the decoy bits are determined by a pseudorandomnumber sequence generated from a pseudorandom number generator 310 witha seed key K^(d) and an encryption mechanism. The resulting embeddeddata sequence 330 has a length n′, which is greater than the length n ofthe data sequence 305 due to the insertion of decoy bits.

The embedded data sequence 335 is further encrypted 340 by a seed keyK^(e) (with its running key k^(e)) and its own encryption mechanism,resulting in a ciphertext sequence 350 which typically has the samelength n′ as the embedded data sequence 335. The seed keys K^(e) andK^(d) are independent of each other. In addition, the encryptionmechanism in the encryption step 340 is also independent of theencryption mechanism employed by the PRNG 310. In this embodiment, thedata rate is defined as n/n′, and the decoy rate 1−n/n′. In some cases,the encryption step 340 may be omitted for simpler implementation. Theciphertext sequence 350 (represented by y) can be written as:

y=E(x′, r′)   (5)

where r′ simply represents the possibility of randomized encryption fory′ and is just included for generality. In alternative embodiments, therandomizer r′ may be omitted. In one embodiment, the seed key K^(e) is asequence of true random numbers.

In one embodiment, the ciphertext sequence 350 is generated using AES.In another embodiment, the ciphertext sequence 350 is generated usingLFSR or nonlinear combinations thereof. In some cases, the ciphertextsequence 350 is generated using a stream cipher. Alternatively, theciphertext sequence 350 is generated using a block cipher.

The ciphertext sequence 350 is transmitted through a communicationchannel 360. The communication channel 360 may include, but is notlimited to, audio, visual, electrical, and electromagnetic communicationchannels. For example, the communication channel may be an opticalfiber, an electrical cable, or free space. In one embodiment, classicalsignals are modulated by the ciphertext sequence 350, transmittedthrough the communication channel 360, and demodulated back into theciphertext sequence 365 at the receiving end of the communicationchannel. In another embodiment, quantum signals are modulated by theciphertext sequence 350, transmitted through the communication channel360, and demodulated back into the ciphertext sequence 365. Themodulation and demodulation modules are not depicted in FIG. 3 for thesake of simplicity.

If there is no error in the transmission process, the receivedciphertext sequence 365 is exactly the same as the transmittedciphertext sequence 350. The ciphertext sequence 365 is decrypted 370 byusing the shared seed key K^(e) (and the share encryption mechanism ofthe encryption step 340) to obtain an embedded data sequence 375. Thisdecryption step 370 may be omitted if the encryption step 340 is omittedfor simpler implementation. A pseudorandom number generator 380 isemployed to disembed the decoy bits from the embedded data sequence 375,resulting in a data sequence 390. In general, the positions of the decoybits are determined from the same decoy position determining mechanismused to embed the decoy bits. In the embodiment depicted in FIG. 3, thePRNG 380 shares the same seed key K^(d) and the same encryptionmechanism as the PRNG 310. The decoy positions are determined from thePRNG 380, and the decoy bits are discarded.

FIG. 4 illustrates detailed operation of the deco y bits method in thedata decoy mode. The data sequence 305 (x′) and the decoy bit sequence320 (r) line up in buffers to be picked in succession by thepseudorandom number sequence 410 (k^(d)) which is generated from thepseudorandom number generator 310 with a seed key K^(d). In oneembodiment, the positions of 1 bits in the pseudorandom number sequencek^(d) determine positions of the data bits (from the data sequence 305)in the embedded data sequence 330, and the positions of 0 bits in thepseudorandom number sequence k^(d) determine positions of the decoy bits(from the decoy bit sequence 320) in the embedded data sequence 330. Inthis embodiment, the mathematical representation of DBM-DDM is, withk_(i) ^(d) being the i^(th) output bit of the PRNG 310:

$\begin{matrix}\begin{matrix}{x_{i}^{\prime} = x_{j{(i)}}} & {{{{if}\mspace{14mu} k_{i}^{d}} = 1}} \\{= r_{l{(i)}}} & {{{{if}\mspace{14mu} k_{i}^{d}} = 0}}\end{matrix} & (6)\end{matrix}$

In Eq. (6), the map j(i) is the bit position of the data sequence 305which is equal numerically to the number of k_(i) ^(d)=1 positions thathave occurred up to the i^(th) place in the pseudorandom number sequence410. Similarly, the map l(i) is the bit position of the decoy bitsequence 320 which is equal numerically to the number of k_(i) ^(d)=0positions that have occurred up to the i^(th) place in the pseudorandomnumber sequence 410. In this embodiment, what is done is simply to fillin random numbers (from the decoy bit sequence 320) at the decoypositions determined by the k_(i) ^(d)=0 positions in the k^(d)-sequenceand fill in successively the x-sequence bits in the non-decoy or messagepositions (determined by the k_(i) ^(d)=1 positions in thek^(d)-sequence).

Note that when there is no encryption map E involved and no errorcorrecting code (ECC) is used, there is no difference between theciphertext decoy mode 100 and the data decoy mode 300. In this scenario,the embedded data sequence (containing data bits and decoy bits) is theciphertext, which may modulate classical signals or quantum signalsbefore being transmitted down the communication channel. In general, theembedded data sequence can have an adjustable data rate (ratio of databits to the total bits in the embedded data sequence) between 0 and 1.For example, a data rate as high as 90% or higher may be obtained incertain cases. On the other hand, a data rate as low as 0.1% or lowermay be obtained in other cases.

FIG. 5A is a detailed example of embedding original data bits among asequence of decoy bits to produce an embedded data sequence. As shown inthis example of embedding 500, the original data bits 510 are embeddedamong the decoy bits 530 in the embedded data sequence 540, with thedecoy positions determined by the pseudorandom number sequence 520(k^(d)). For instance, the first bit in the embedded data sequence 540is a message bit, because the first bit in the k^(d) sequence is 1. Asanother example, the third bit in the embedded data sequence 540 is adecoy bit, because the third bit in the k^(d) sequence is 0 and the mapl(i) takes the first decoy bit from the decoy bits 530 (since the numberof k_(i) ^(d)=0 positions that have occurred so far is 1).

FIG. 5B is a detailed example of disembedding original data bits fromthe embedded data sequence. In this example of disembedding 550, theembedded data sequence 540 is compared with the pseudorandom numbersequence 520 (k^(d)) to determine the decoy positions, which are thepositions of 0 bits in the k^(d) sequence. The bits in the decoypositions of the embedded data sequence 540 are determined to be decoybits and are discarded. The remaining portion of the embedded datasequence 540 is the sequence of the original data bits 510.

Our DBM is a totally new cryptographic technique that has never beendiscussed in either classical or quantum cryptography. The proposedmethodology is different from the clock-controlled or shrinkinggenerator, exactly due to the use of decoy bits with corresponding datarate reduction. The DBM is also different from decoy quantum states. Theuse of decoy quantum states was first described in the problem ofquantum bit commitment, where such states serve in a role similar in aweak sense, not essentially similar, to decoy bits in the present DBM.The different use of decoy quantum states to detect Eve's presence hasbecome a common quantum key distribution technique for multi-photonsources which is very different from DBM other than the word “decoy”.Note also that one needs to control the decoy states' characteristicsfor the purpose of checking Eve's presence, in contrast to DBM.

An LFSR m-Sequence Property and Some Implication

We will make basic use of the following property of a LF SR than can bechosen to yield m-sequences in its output corresponding to differentinput seed key K (with its running key k), which have a period of2^(|K|)−1 for an |K|-stage LFSR with primitive polynomial generator.Note that we would use an n-bit m-sequence only for n far less than suchperiod, which always holds since such |K|>100 in practice. Also, eachm-sequence has ideal two-level autocorrelation and different k justtranslates the output sequence. These imply the following:

Theorem 1:

The number of different bit positions between two L-bit m-sequences,L=2^(|K|)−1, from the same LF SR is L/2 for even L and 1+L/2 for odd L,when averaged over K.

Theorem 1 has the following implication. Let the bit-position averagebit error rate (BER) p_(b) for estimating the l bits in an l-bitsequence be the total number of bit errors divided by l. Let p _(b) bethe p_(b) averaged over the seed key of the LFSR.

Corollary 1:

If one guess an l-bit LFSR m-sequence incorrectly by another of suchsequence, the p _(b) is ½ for even 1 and ½+1/(2l) for odd l.

This implies the following significant fact that is not given in thecryptography literature. If one uses LFSR m-sequence as the running keyin a stream cipher, the raw security BER p _(b) from a ciphertext onlyattack (CTA) on the data is given by Corollary 1 if Eve guesses at theseed key K. Thus with a very high probability 1−2^(−|K|) which ispractical certainty for |K|>100, we obtain perfect |K|-averaged securityfor any l-bit ciphertext sequence. Eve would get p_(b)=½ bit by bit ifshe guesses randomly. Eve's sequence error rate for an arbitrary subsetof the data X is not quantified except it is uniformly random for ≦|K|consecutive positions. Thus, the n-bit data x is actually quite secureinformation theoretically despite the Shannon limit. When the data is apriori uniform to Eve, the key is fully protected in stream cipher modeat least. The usual security weakness of conventional symmetric-keyciphers lies in KPA, where typically the key is fully determined by |K|known data bits and only CBS can be obtained.

Security of The Decoy Bits Method

Let us examine the use of DBM (in CDM) given by Equations (3)-(4). Forraw data security we see that if Eve simply guesses at the n encrypteddata positions among the n′ ciphertext positions without using the factthat they are generated from the m-sequence of a LFSR with a seed keyK^(d), she will have error probability p_(b)(i)=½ at each i^(th)position of getting the correct encrypted bit. If she guesses k^(d) withthe LFSR structure, Corollary 1 shows that with practical certainty shestill gets p _(b)=½ for each bit position. The DBM adds to that withp_(b)=½ for each specific k^(d) also other than a few starting bits,because the decoy positions are filled with true random numbers. ForEve's sequence success probabilities there is compound security from theadditional DBM key K^(d) in addition to the E key K^(e). All this isexpected and raw security is stronger than just K^(e) in the expectedway.

The very major difference occurs in the crucial KPA security. Withoutdecoy bits the non-random ciphers are broken information theoreticallyin KPA with rather short known data length, typically just same lengthas the key size. In the DBM case there is exponential security whereeach of the possible n′-bit m-sequence from the LFSR with a seed keyK^(d) has to be tried one by one. This is because the known data to Evehas nothing to do with the decoy-position fixing m-sequence. She wouldneed to guess at a correct |K^(d)|-run of 1's in the correct dataposition sequence x, since there is no longer runs of 1's than |K^(d)|.Her probability of estimating K^(d) correctly for getting at the unknowndata bits is 2^(−|K) ^(d) ^(|) since |K^(d)| consecutive data positionsare needed to determine the seed key K^(d). If she guesses incorrectly,the sequence error on K^(d) would lead to a Ŷ and thus {circumflex over(X)} that is different from the correct one with a probability ½ in eachposition. This is because true-random-numbers decoy bits are used andthe other ciphertext bits are also independent uniform bits when anadditive stream cipher is used on uniform original data x. Indeed thisholds more broadly for known x and a variety of E when E's seed keyK^(e) (unknown to Eve) is taken into account. In any event, as long asK^(d) is incorrectly estimated the DBM succeeds in that no match of thegiven ciphertext could be obtained from Eve's generation of it from theknown x and guessed K^(d), thus ensuring each K^(d) has to be tried oneby one. Now we can consider the best strategy from Eve's viewpointagainst a PRNG that determines the decoy positions with a pseudorandomnumber sequence r that satisfies the three Golomb randomness postulates,which is the case for m-sequences generated from a LFSR. In oneembodiment, we let the 0 bits in r determine the decoy positions. Thefollowing is obtained when no K^(e) is employed. The strengthening ofsecurity with K^(e) depends on the exact E used in Eq. (3) or Eq. (5).

Theorem 2:

Under KPA the CBS of DBM with a seed key K^(d) is 2^(|K) ^(d) ^(|).

Proof:

In addition to the above guessing, it is best for Eve to minimize theprobability of getting any decoy bits in a KPA by trying the minimumconsecutive |K^(d)| bit positions and hoping that it would generate thecorrect matching y′ to the known x. From the “run property” ofm-sequence, the probability that a randomly drawn |K^(d)| consecutivebits out of the N=2^(|K) ^(d) ^(|)−1 bits m-sequence are all 1 is upperbounded by 2^(−|K) ^(d) ^(|) since there is only one such sequence. Forn<N the probability can only be smaller. After a KPA trial failure eachadditional trial is of the same nature as searching for the |K^(d)|consecutive 1's. Thus, this way of attack has a lower chance of successthan guessing the key directly. Thus, Eve's optimum trial complexity ofis given by Theorem 2.

Corollary 2:

The probability that M trials (of success or failure) would break thecryptosystem is M/2^(|K) ^(d) ^(|).

Note that it is quite possible a matching K^(d) in KPA may be foundwhich matches x and the ciphertext even though it is not the correctK^(d), due to the many random elements involved. In such a case Eve ismisled and gets a wrong estimate of K^(d) as if it is correct. This canbe formalized by the concept of unicity distance, the data lengthrequired for a KPA to pin down the seed key uniquely. While residualinformation theoretic security may remain even for very long known datalength, it appears that for long enough n′ Eve can indeed determineK^(d) in principle in a KPA.

Note that the security considered here arises entirely from K^(d). Theuse of K^(e) is not essential classically but is used in conjunctionwith the KCQ approach.

The above use of LF SR gives a decoy rate of ½. The corresponding datarate is 50%. In general, the decoy rate and the corresponding data rateare adjustable. One can vary the decoy rate by using a PRNG to determinewhat positions to insert decoy bits at any decoy rate. If the decoy rateis higher than 50%, the corresponding data rate would become less than50%. Furthermore, one can choose a decoy position determining mechanismthat would ensure that at least one decoy bit is included in any |K^(d)|consecutive bits. The quantitative CBS security level against KPA andITS security level for raw security depend on the exact decoy positiondetermining mechanism. The DBM can also be used with far less decoy bitsfor comparable CBS security against KPA as given by Theorem 2. Thiswould result in a data rate as high as 90%, or even higher. This isimportant when the data rate reduction is to be kept as small aspossible for a given security level. Alternatively, more decoy bits canbe used for increased security, effectively decreasing the data rate toas low as 0.1%, or even lower.

For ease of implementation, pseudorandom numbers can be used for thedecoy bits in lieu of true random numbers. The quantitative securitylevel for pseudorandom-numbers decoy bits would remain the same as thatfor true-random-numbers decoy bits when less than |K^(d)| or |K^(r)|data bits are known to Eve, where K^(r) is the seed key for generatingthe sequence of pseudorandom decoy bits.

Applications to Data Encryption, Key Generation, and Data Storage

Theorem 2 shows the CBS security level of DBM in classical directencryption as well as classical key generation. In addition to possibleresidual ITS level remaining for any finite sequence of known data,there is a sense in which ITS is still obtained in any case by themeaning of Corollary 2. Indeed, the provable exponential complexity ofkey generation, even against KPA, shows the use of DBM is superior topublic key cryptography as far as security goes for the purpose of keydistribution. There is no proved security in such asymmetric key ciphersin addition to their reliance on complexity assumptions for raw securitywhich are also weaker than exponential complexity.

There is a very significant application of DBM to data storage viaclassical direct encryption, to which it is immediately applicable inconventional mathematics-based ciphers in contrast to physical andespecially quantum cryptography. DBM is CBS secure against KPA, alsooffering security guarantee that is not compromised by futuredevelopment of computational power including quantum computers oralgorithm development. In another embodiment, the DBM may be implementedfor medical data. In yet another embodiment, the DBM may be implementedfor financial data.

Applications of DBM in Quantum Cryptography

In this section we first review some salient points on QKG and QDE usingthe two different approaches of QKD and KCQ. We will then explain howDBM can be used in each approach. The case of classical randomizationand noise is similar, because it is the quantitative advantage creationby the users that is relevant in key generation and even directencryption. Quantum cryptography is distinguished only in that quantumeffects with no classical analog are used for such advantage creation.

In QKD which involves intrusion level estimation, only key generation ispossible with no direct encryption. In a QKD protocol, the presence ofEve's attack is checked by a separate sequence of quantum signals. Ifthe intrusive level is below a certain design threshold, the users wouldconclude that a net key can be obtained after error correction,typically by use of an error correcting code (ECC), and then privacyamplification, typically from a privacy amplification code (PAC) that isdrawn from linear universal hashing.

In a KPA on such QKD protocols, Eve keeps her quantum probe set duringthe protocol execution. Then she learns part of the final generated keyKg when it is used, say in one-time-pad form, and tries to estimate theother data from the one-time-pad ciphertext, her knowledge of the K^(g)segment from KPA, and the measurement result of her choice of quantummeasurement made with all her then available information. Properadvantage creation would hopefully entail that the users could derivemore information on the input data from their ciphertext signals thanthat by Eve from her ciphertext signals. Note that the ciphertextsignals in the two cases are different, always in active attacks butoften so even in a passive attack in which Eve just takes in a portionof each transmitted ciphertext signal by beam-splitting. It is adifficult task to prove any general security against joint (coherent)attacks, with serious quantitative problems at several turns. In thenext section it will be shown how provable ITS is readily obtained withour DBM.

There is another approach to QKG and QDE, called KCQ (keyedcommunication in quantum noise). In this approach, the optimal quantumreceiver principle for M-ary quantum detection is used, which is oneform of no-cloning in that the optimal quantum measurement depends onthe specific signal set. There is no universal measurement that isoptimal for different signal sets in contrast to the classical case.This KCQ underlying principle is evidently stronger than the usualno-cloning in several ways. As a consequence, intrusion level estimationcan be dispensed with entirely and large-energy signals can be used,thereby greatly improving the efficiency of the cryptosystem, and as itturns out, its security also. The key point for the possible secure useof LFSR lies in our theorems 1-2 and corollaries 1-2 above, which arenew. Only security against collective attacks can be quantified similarto the QKD case, although in QKD it is erroneously but widely believedotherwise.

Now let us examine DBM in QKG and QDE. The DBM can be directly appliedto quantum signals modulated by the original data bits. User A justinserts random numbers into the decoy positions instead. Demodulation,decoding, and decryption would go forward as usual. The raw ITS securityof DBM from corollary 1 is already ideal without quantum advantagecreation.

The crucial point for DBM quantum cryptography is that Eve could onlymake one measurement on her probe. In both QKD and KCQ, the correctmeasurement which varies from qubit to qubit (or qumode) is needed toextract data information with no distortion. In a KPA, Eve needs to makea measurement upon her guess of the seed key K^(d) for all the qubitsand has a probability of success 2^(−|K) ^(d) ⁻, or she could try|K^(d|-run of) 1's. In such case she would not have the same probabilityof success ˜2^(−|K) ^(d) ^(|) in each trial with a small increase fromthe decrease of the 2^(|K) ^(d) ^(|)−1 sample space size after m trialsby just m. This is because during the first trial the quantummeasurement already fixes the K^(d) positions and Eve could try onlyn₀/|K^(d)| cases instead of n₀−|K^(d)|+1 in the classical situation (theother ones do not have the necessary quantum freedom). Here n₀ is thelength of the known consecutive data bits. The encryption of the databits by E of Equations (1)-(2) which involve measurement choice by Evein this situation decreases the success probability by a lot, but whichwe ignore since she is already bound ˜2^(−|K) ^(d) ^(|) without takingthat into account.

The above shows that Eve could not try all the 2^(|K) ^(d) ^(|) cases asin the classical situation, thus gaining ITS in QDE. The only remaininggeneral way is to make a universal measurement on the qubits or qumodesthat would render the whole situation a classical one. We will now givethe ITS KPA security for QDE under such a universal measurement. We havethe following:

Theorem 3:

The KPA security of KCQ direct encryption under DBM is given by theuser's probability levels of correctly making the bit decisions versusthat from a universal measurement.

Proof:

When Eve launches a universal measurement attack, she would get themeasurement result incorrectly for the given signal set with aprobability of p_(e) ^(E) for either binary or M-ary signals:

p_(e) ^(E)˜2^(−λ) ^(e) , p_(e) ^(B)˜2^(−λ) ^(u) , λ_(e),λ_(u)>1   (7)

In Eq. (7), p_(e) ^(E) depends on the specific signal set and theuniversal measurement, and p_(e) ^(B) is the users' corresponding errorprobability before ECC. Under universal measurement Eve's K^(d)-averagessuccess probability p_(c) ^(E)≡1−P_(e) ^(E) for each KPA trial is givenby

$\begin{matrix}{{\overset{\_}{p}}_{c}^{E} = {\sum\limits_{r = 0}^{K^{d}}\; {2^{{- 2}\; r}\left( {1 - 2^{- \lambda_{e}}} \right)^{n - r}}}} & (8)\end{matrix}$

Thus, the user's advantage λ_(u)>λ_(c) shows that an ECC can be foundfor the user but with remaining errors for Eve as given in Eq. (8),providing ITS security in KPA on top of K^(d) and any shared secret key.

The advantage over Eve from Eq. (7) is to be obtained from the KCQapproach, which involves encryption over a K^(e). To get true ITS inQKG, such K^(e) use is necessary in contrast to the classical case whereK^(e) may be dispensed with for CBS or its induced ITS.

In a direct QKG approach, one may bound Eve's overall averageprobability of identifying the whole data n-sequence and then employ PACon top, dealing with ECC separately. The corresponding general case iscomplicated and will be presented elsewhere. However, under universalmeasurement the usual theory for QKD as well as KCQ can be directlyapplied for key generation with ITS.

Note that DBM is well suited to QKD by using K^(d) to choose the siftedkey and the remaining for checking the quantum bit error rate (QBER).For instance, the qubits to be checked for QBER may be selected from thedecoy positions (determined by PRNGs with a shared secret seed keyK^(d)). In this case, the qubits in the selected decoy positions servean additional useful purpose of checking QBER, prior to being discarded.The qubits in the non-decoy positions are thus maximally preserved togenerate the sifted key. Note also that loss effect and all systemimperfection problems are automatically resolved in DBM from the decoybits.

We have described a very powerful new cryptographic technique, the decoybits method, which is widely applicable to different media oftransmission and storage in various cryptographic functions, classicalor quantum. Most significantly, it allows rigorous general securityproofs for the first time ever in cryptography, other than one-time pad.

Some portions of this description describe the embodiments in terms ofalgorithms and symbolic representations of operations on information.These algorithmic descriptions and representations are commonly used bythose skilled in the data processing arts to convey the substance oftheir work effectively to others skilled in the art. These operations,while described functionally, computationally, or logically, areunderstood to be implemented by computer programs or equivalentelectrical circuits, microcode, or the like. Furthermore, it has alsoproven convenient at times, to refer to these arrangements of operationsas modules, without loss of generality. The described operations andtheir associated modules may be embodied in software, firmware,hardware, or any combinations thereof.

Any of the steps, operations, or processes described herein may beperformed or implemented with one or more hardware or software modules,alone or in combination with other devices. In one embodiment, asoftware module is implemented with a computer program productcomprising a non-transitory computer-readable medium containing computerprogram instructions, which can be executed by a computer processor forperforming any or all of the steps, operations, or processes described.

Embodiments may also relate to an apparatus for performing theoperations herein. This apparatus may be specially constructed for therequired purposes, and/or it may comprise a general-purpose computingdevice selectively activated or reconfigured by a computer programstored in the computer. Such a computer program may be stored in atangible computer readable storage medium, which includes any type oftangible media suitable for storing electronic instructions, and coupledto a computer system bus. Furthermore, any computing systems referred toin the specification may include a single processor or may bearchitectures employing multiple processor designs for increasedcomputing capability.

Although the detailed description contains many specifics, these shouldnot be construed as limiting the scope of the invention but merely asillustrating different examples and aspects of the invention. It shouldbe appreciated that the scope of the invention includes otherembodiments not discussed in detail above. For example, the DBM can beused at many different data rates which are suitable for different kindsof applications, such as financial, medical, internet, military, etc.Various other modifications, changes and variations which will beapparent to those skilled in the art may be made in the arrangement,operation and details of the method and apparatus of the presentinvention disclosed herein without departing from the spirit and scopeof the invention as defined in the appended claims. Therefore, the scopeof the invention should be determined by the appended claims and theirlegal equivalents.

What is claimed is:
 1. A method comprising: obtaining a sequence of databits; obtaining a sequence of decoy bits; obtaining a random numbersequence; forming an embedded data sequence by placing bits of thesequence of data bits at locations where bits of the random numbersequence have a first value and placing bits of the sequence of decoybits at locations where bits of the random number sequence have a secondvalue; transmitting the embedded data sequence through a communicationchannel.
 2. The method of claim 1, further comprising encrypting theembedded data sequence before transmitting through the communicationchannel.
 3. The method of claim 1, wherein the sequence of data bits isencrypted.
 4. The method of claim 1, wherein transmitting the embeddeddata sequence through the communication channel comprises modulatingclassical signals using the embedded data sequence.
 5. The method ofclaim 1, wherein transmitting the embedded data sequence through thecommunication channel comprises modulating quantum signals using theembedded data sequence.
 6. The method of claim 1, wherein obtaining therandom number sequence comprises using a seed key.
 7. The method ofclaim 1, wherein the random number sequence is pseudorandom.
 8. A methodcomprising: receiving an embedded data sequence comprising bits of asequence of data bits and bits of a sequence of decoy bits; obtaining arandom number sequence; obtaining the sequence of data bits by selectingbits of the embedded data sequence at locations where bits of the randomnumber sequence have a first value.
 9. The method of claim 8, furthercomprising decrypting the embedded data sequence.
 10. The method ofclaim 8, further comprising decrypting the sequence of data bits. 11.The method of claim 8, wherein receiving the embedded data sequencethrough the communication channel comprises demodulating classicalsignals.
 12. The method of claim 8, wherein receiving the embedded datasequence through the communication channel comprises demodulatingquantum signals.
 13. The method of claim 8, wherein obtaining the randomnumber sequence comprises using a seed key.
 14. The method of claim 8,wherein the random number sequence is pseudorandom.
 15. A computersystem for a communication channel, comprising: a module configured toform an embedded data sequence by placing bits of a sequence of databits at locations where bits of a random number sequence have a firstvalue and placing bits of a sequence of decoy bits at locations wherebits of the random number sequence have a second value, and configuredto transmit the embedded data sequence through the communicationchannel.
 16. The computer system of claim 15, wherein the module isfurther configured to encrypt the embedded data sequence beforetransmitting through the communication channel.
 17. The computer systemof claim 15, wherein the sequence of data bits is encrypted.
 18. Thecomputer system of claim 15, wherein the module is further configured tomodulate classical signals using the embedded data sequence.
 19. Thecomputer system of claim 15, wherein the module is further configured tomodulate quantum signals using the embedded data sequence.
 20. Thecomputer system of claim 15, wherein the random number sequence isgenerated using a seed key.
 21. The computer system of claim 15, whereinthe random number sequence is pseudorandom.
 22. A computer system for acommunication channel, comprising: a module configured to receive anembedded data sequence through the communication channel, and configuredto obtain a sequence of data bits by selecting bits of the embedded datasequence at locations where bits of a random number sequence have afirst value.
 23. The computer system of claim 22, wherein the module isfurther configured to decrypt the embedded data sequence.
 24. Thecomputer system of claim 22, wherein the module is further configured todecrypt the sequence of data bits.
 25. The computer system of claim 22,wherein the module is further configured to demodulate classical signalsreceived through the communication channel.
 26. The computer system ofclaim 22, wherein the module is further configured to demodulate quantumsignals received through the communication channel.
 27. The computersystem of claim 22, wherein the random number sequence is generatedusing a seed key.
 28. The computer system of claim 22, wherein therandom number sequence is pseudorandom.